Vulnerabilities

 2 via 6 paths

Dependencies

 97

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 3
Severity
  • 2
  • 3
Status
  • 5
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: commons-lang:commons-lang
  • Introduced through: org.apache.maven.reporting:maven-reporting-impl@3.1.0

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.apache.velocity:velocity@1.7 commons-lang:commons-lang@2.4
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.apache.velocity:velocity-tools@2.0 org.apache.velocity:velocity@1.7 commons-lang:commons-lang@2.4
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.codehaus.plexus:plexus-velocity@1.2 org.apache.velocity:velocity@1.7 commons-lang:commons-lang@2.4

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

There is no fixed version for commons-lang:commons-lang.

References

Uncontrolled Recursion vulnerability report

high severity

Arbitrary Code Execution

  • Vulnerable module: org.apache.velocity:velocity
  • Introduced through: org.apache.maven.reporting:maven-reporting-impl@3.1.0

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.apache.velocity:velocity@1.7
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.apache.velocity:velocity-tools@2.0 org.apache.velocity:velocity@1.7
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven.doxia:doxia-site-renderer@1.11.1 org.codehaus.plexus:plexus-velocity@1.2 org.apache.velocity:velocity@1.7

Overview

org.apache.velocity:velocity is a general purpose template engine.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine.

Note Users of org.apache.velocity:velocity should update to org.apache.velocity:velocity-engine-core version 2.3 to mitigate this vulnerability.

Remediation

There is no fixed version for org.apache.velocity:velocity.

References

Arbitrary Code Execution vulnerability report

medium severity
new

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: junit:junit@4.13.2, org.apache.maven.doxia:doxia-core@1.12.0 and others

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin junit:junit@4.13.2
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.doxia:doxia-core@1.12.0 org.codehaus.plexus:plexus-container-default@2.1.1 junit:junit@4.13.2
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.doxia:doxia-sink-api@1.12.0 org.apache.maven.doxia:doxia-logging-api@1.12.0 org.codehaus.plexus:plexus-container-default@2.1.1 junit:junit@4.13.2
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.doxia:doxia-core@1.12.0 org.apache.maven.doxia:doxia-logging-api@1.12.0 org.codehaus.plexus:plexus-container-default@2.1.1 junit:junit@4.13.2
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.doxia:doxia-core@1.12.0 org.apache.maven.doxia:doxia-sink-api@1.12.0 org.apache.maven.doxia:doxia-logging-api@1.12.0 org.codehaus.plexus:plexus-container-default@2.1.1 junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity
new

EPL-1.0 license

  • Module: org.eclipse.sisu:org.eclipse.sisu.inject
  • Introduced through: org.apache.maven:maven-plugin-api@3.8.9 and org.apache.maven.reporting:maven-reporting-impl@3.1.0

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.apache.maven:maven-model-builder@3.8.9 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.apache.maven:maven-resolver-provider@3.8.9 org.apache.maven:maven-model-builder@3.8.9 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.5

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity
new

EPL-1.0 license

  • Module: org.eclipse.sisu:org.eclipse.sisu.plexus
  • Introduced through: org.apache.maven:maven-plugin-api@3.8.9 and org.apache.maven.reporting:maven-reporting-impl@3.1.0

Detailed paths

  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5
  • Introduced through: gantsign/ktlint-maven-plugin@gantsign/ktlint-maven-plugin org.apache.maven.reporting:maven-reporting-impl@3.1.0 org.apache.maven:maven-core@3.8.9 org.apache.maven:maven-plugin-api@3.8.9 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.5

EPL-1.0 license

EPL-1.0 license vulnerability report